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Abstract 


Multilinear Galois Mode (MGM) is an Authenticated Encryption with Associated Data (AEAD) 
block cipher mode based on the Encrypt-then-MAC (EtM) principle. MGM is defined for use with 
64-bit and 128-bit block ciphers. 


MGM has been standardized in Russia. It is used as an AEAD mode for the GOST block cipher 
algorithms in many protocols, e.g., TLS 1.3 and IPsec. This document provides a reference for 
MGM to enable review of the mechanisms in use and to make MGM available for use with any 
block cipher. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor 
has chosen to publish this document at its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by the RFC Editor are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc9058. 
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This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
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1. Introduction 


Multilinear Galois Mode (MGM) is an Authenticated Encryption with Associated Data (AEAD) 
block cipher mode based on EtM principle. MGM is defined for use with 64-bit and 128-bit block 
ciphers. The MGM design principles can easily be applied to other block sizes. 
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MGM has been standardized in Russia [AUTH-ENC-BLOCK-CIPHER]. It is used as an AEAD mode 
for the GOST block cipher algorithms in many protocols, e.g., TLS 1.3 and IPsec. This document 
provides a reference for MGM to enable review of the mechanisms in use and to make MGM 
available for use with any block cipher. 


This document does not have IETF consensus and does not imply IETF support for MGM. 


2. Conventions Used in This Document 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to 
be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 
all capitals, as shown here. 


3. Basic Terms and Definitions 


This document uses the following terms and definitions for the sets and operations on the 
elements of these sets: 


V* The set of all bit strings of a finite length (hereinafter referred to as strings), including 
the empty string; substrings and string components are enumerated from right to left 
starting from zero. 


Vs The set of all bit strings of length s, where s is a non-negative integer. For s = 0, the V 0 
consists of a single empty string. 


|X| The bit length of the bit string X (if X is an empty string, then |X| = 0). 


X || Y Concatenation of strings X and Y both belonging to V* i.e., a string from V_{| X|+|Y|}, 
where the left substring from У (|Х| is equal to X, and the right substring from V {| 
У | } is equal to Y. 


a^s The string in V. s that consists of s 'a' bits. 

(xor) Exclusive-or of two bit strings of the same length. 
7 (248) Ring of residues modulo 2^s. 

MSB i У $->У 1 


The transformation that maps the string X = (x {5-1}, ...,х 0) in V_s into the string 
МВ i(X) = (x {3-1}, ..., x_{s-i}) in V_i, i <= $ (most significant bits). 


Int_s V_s -> 7 {2^$} 


The transformation that maps the string X = (x {5-1}, ... , х_0) in V_s, $ > 0, into the 
integer Int_s(X) = 24{s-1} * x_{s-1} +... + 2 * x_1 +х 0 (the interpretation of the bit 
string as an integer). 
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Z_{24s} -> У $ 


The transformation inverse to the mapping Int s (the interpretation of an integer as a 
bit string). 


V_n -> Үп 
The block cipher permutation under the key K in V_k. 


The bit length of the block cipher key. 
The block size of the block cipher (in bits). 
V_s -> V_{n/2} 


The transformation that maps a string X in V_s, 0 <= s <= 2^{n/2} - 1, into the string len 
(X) = Vec_{n/2}(|X|) in V_{n/2}, where п is the block size of the used block cipher. 


The addition operation in Z_{2^{n/2}}, where n is the block size of the used block 
cipher. 


The transformation that maps two strings, X = (x_{n-1}, ..., x_0) in V_n and Y = (y_{n-1}, 
… , y_0),in V_n into the string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string Z 
corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} +... + 2 1“ w + z_0, which is 
the result of multiplying the polynomials X(w) = x_{n-1} * w^{n-1} +... + x_1 * w + x_0 
and Y(w) = y_{n-1} * w^{n-1} +... + y_1 * w + y_0 in the field GF(2^n), where n is the 
block size of the used block cipher; if n = 64, then the field polynomial is equal to f(w) = 
W^64 + wA4 + wA3 + w + 1; if n = 128, then the field polynomial is equal to f(w) = w^128 
+ W^7 + W^2 + W + 1. 


Vn-Vn 


The transformation that maps an n-byte string A = L || R into the n-byte string incr 1 
(A) = Vec_{n/2}(Int_{n/2}(L) [+] 1) | | В, where L and R are n/2-byte strings. 


V_n -> Үп 


The transformation that maps an n-byte string A = L | | R into the n-byte string incr_r 
(A) = L | | Vec_{n/2}(Int_{n/2}(R) [+] 1), where L and R аге n/2-byte strings. 


4. Specification 


An additional parameter that defines the functioning of MGM is the bit length S of the 
authentication tag, 32 <= S <= n. The value of S MUST be fixed for a particular protocol. The choice 
of the value S involves a trade-off between message expansion and the forgery probability. 
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4.1. MGM Encryption and Tag Generation Procedure 


The MGM encryption and tag generation procedure takes the following parameters as inputs: 


1. Encryption key K in V k. 

2. Initial counter nonce ICN in V_{n-1}. 

3. Associated authenticated data A, 0 <= |A| < 24{n/2}. If |A| >0,thenA=A_1 ||... | | A* ПА) 
in V_n, Юг] = 1, ..., h - 1, A*_hin V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is empty, 
and the h and t parameters are set as follows: h = 0, t = n. The associated data is 
authenticated but is not encrypted. 

4. Plaintext P, <= |P| < 24{n/2}. If |P| >0,then P = P_1 ||... | | Р* а, Рут V_n, fori=1,...,q- 
1, P*_q in V_u, 1 <= u<=n. If |P| = 0, then by definition P* д is empty, and the q and u 
parameters are set as follows: q = 0,u = n. 


The MGM encryption and tag generation procedure outputs the following parameters: 


1. Initial counter nonce ICN. 

2. Associated authenticated data A. 
3. Ciphertext C in V_{| P|}. 

4. Authentication tag T in V S. 
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The MGM encryption and tag generation procedure consists of the following steps: 
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The ICN value for each message that is encrypted under the given key K must be chosen in a 


unique manner. 


Users who do not wish to encrypt plaintext can provide a string P of zero length. Users who do 
not wish to authenticate associated data can provide a string A of zero length. The length of the 


associated data A and of the plaintext P MUST be such that 0 < |A| + 


|P| < 270/2). 


4.2. MGM Decryption and Tag Verification Check Procedure 


The MGM decryption and tag verification procedure takes the following parameters as inputs: 


1. Encryption key K in V k. 


2. Initial counter nonce ICN in У (n-1). 


Smyshlyaev, et al. 


Informational 


Page 6 


RFC 9058 Multilinear Galois Mode (MGM) June 2021 


3. Associated authenticated data А, 0 <= |A| < 24{n/2}. If |A| >0, then А-А 1 ||... || А“ ПА) 
in V_n, Юг] = 1, ..., h - 1, A*_hin V_t, 1«-t«-n.If |A| = 0, then by definition А“ his empty, 
and the h and t parameters are set as follows: h = 0, t = n. The associated data is 
authenticated but is not encrypted. 

4. Ciphertext С, <= |C| < 24{n/2}. If |C| 0, then C =C_1 ||... || C*_g, C_iin V_n, fori=1,..., q 
- 1, C*_q in V_u, 1 <= u <=n. If |C| = 0, then by definition С“ с is empty, and the q and u 
parameters are set as follows: q = 0,u = n. 

5. Authentication tag T in V_S. 


The MGM decryption and tag verification procedure outputs FAIL or the following parameters: 


1. Associated authenticated data A. 
2. Plaintext P in V_{|C]}. 


The MGM decryption and tag verification procedure consists of the following steps: 


ДЕ Padding step: 
АН = Ax-h || O4{n-t}, 
C*_q || 8^ín-uj. 


= iu 


2. Authentication tag T verification step: 
Ил = Е КОРТ || ТСМ), 
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The length of the associated data A and of the ciphertext С MUST be such that 0 < |А | + |C] < 2^ 
{n/2}. 


5. Rationale 
MGM was originally proposed in [PDMODE]. 


From the operational point of view, MGM is designed to be parallelizable, inverse free, and 
online and is also designed to provide availability of precomputations. 


Parallelizability of MGM is achieved due to its counter-type structure and the usage of the 
multilinear function for authentication. Indeed, both encryption blocks E_K(Y_i) and 
authentication blocks H_i are produced in the counter mode manner, and the multilinear 
function determined by H i is parallelizable in itself. Additionally, the counter-type structure of 
the mode provides the inverse-free property. 


The online property means the possibility of processing messages even if it is not completely 
received (so its length is unknown). To provide this property, MGM uses blocks E K(Y i) and H i, 
which are produced based on two independent source blocks Y i and Z i. 


Availability of precomputations for MGM means the possibility of calculating Н i and E K(Y i) 
even before data is retrieved. It holds again due to the usage of counters for calculating them. 


6. Security Considerations 


The security properties of MGM are based on the following: 


Different functions generating the counter values: 
The functions incr г and incr 1 are chosen to minimize intersection (if it happens) of counter 
values Y i and Z i. 


Encryption of the multilinear function output: 
It allows attacks based on padding and linear properties to be resisted (see [FERG05] for 
details). 


Multilinear function for authentication: 
It allows the small subgroup attacks to be resisted [SAAR12]. 


Encryption of the nonces (0^1 | | ICN) and (1^1 | | ICN): 
The use of this encryption minimizes the number of plaintext/ciphertext pairs of blocks 
known to an adversary. It prevents attacks that need a substantial amount of such material 
(e.g., linear and differential cryptanalysis and side-channel attacks). 


It is crucial to the security of MGM to use unique ICN values. Using the same ICN values for two 
different messages encrypted with the same key eliminates the security properties of this mode. 
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It is crucial for the security of MGM not to process empty plaintext and empty associated data at 
the same time. Otherwise, a tag becomes independent from a nonce value, leading to 
vulnerability to forgery attacks. 


Security analysis for MGM with E_K being a random permutation was performed in [SEC-MGM]. 
More precisely, the bounds for confidentiality advantage (CA) and integrity advantage (IA) (for 
details, see [AEAD-LIMITS]) were obtained. According to these results, for an adversary making 
at most q encryption queries with the total length of plaintexts and associated data of at most $ 
blocks, and allowed to output a forgery with the summary length of ciphertext and associated 
data of at most 1 blocks: 


СА <= ( 3( s + 4q )^2 )/ 2^n, 
ТА <= (3($+44+1+3)^2 )/ 2An + 2/2AS, 
where п is the block size and $ is the authentication tag size. 


These bounds can be used as guidelines on how to calculate confidentiality and integrity limits 
(for details, also see [AEAD-LIMITS]). 


7. IANA Considerations 


This document has no IANA actions. 
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Appendix A. Test Vectors 


A.1. Test Vectors for the Kuznyechik Block Cipher 


Test vectors for the Kuznyechik block cipher (n = 128, k = 256) are defined in [GOST3412-2015] 
(the English version can be found in [RFC7801]). 
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A.1.1. Example 1 


Encryption key K: 
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00000: 88 99 AA BB CC DD EE 
00010: FE DC BA 98 76 54 32 
ICN: 

00000: 22033 44555 66577 
Associated authenticated data 
00000: 02 02 02 02 02 02 02 
00010: 04 04 04 04 04 04 04 
00020: EA 05 05 05 05 05 05 
Plaintext P: 

00000: 11 22 33 44 55 66 77 
00010: 00 11 22 33 44 55 66 
00020: (k 2233354455 66577 
000380: 22 33 44 55 66 77 88 
00040: AA BB CC 
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1. Encryption step: 
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2. Padding step: 


АТ || 
00000: 
00010: 
00020: 


Cale |i 
00000: 
00010: 
00020: 
00030: 
00040: 


Smyshlyaev, et al. 


|| Ache 


92 02 02 
04 04 04 
EA 05 05 


|| C_q 


A9 75 7B 


80 75 02 
49 7А В1 
C6 0C 14 
20975852 


44 


90 


02 
04 
05 


81 
21 
59 
D4 
00 


92 
04 
95 


47 
2В 
15 
03 
00 


Multilinear Galois Mode (MGM) 


66 


BC 


92 
04 
95 


95 
F9 
A6 
F8 
00 


02 
04 
05 


6E 
FD 
BA 
83 
00 


00 


30 


90 


30 


2C 


30 


OD 


30 


49 


30 


E3 


90 
5B 
85 
DO 


02 
04 
05 


90 
5B 
85 
DO 
00 


FF 


5A 


AA 


5A 


5B 


5A 


0A 


5A 


01 


5A 


33 


55 
D3 
93 
AB 


01 
03 
05 


55 
D3 
93 
AB 
00 


EE 


46 


56 


46 


6E 


46 


C1 


46 


2F 


46 


56 


B8 
F7 
6B 
94 


01 
03 
00 


B8 
F7 
6B 
94 
00 


DD 


8D 


7E 


8D 


AC 


8D 


E6 


8D 


ВЕ 


80 


91 


АЗ 
06 
5D 
42 


01 
03 
00 


A3 
06 
5D 
42 
00 


Informational 


CC 


42 


F1 


42 


21 


42 


C2 


42 


E8 


42 


B2 


3D 
9A 
QE 
06 


01 
03 
00 


3D 
9A 
QE 
06 
00 


BB 


B9 


53 


B9 


61 


B9 


47 


B9 


6A 


B9 


др 


Е8 
Ар 
А9 
95 


91 
03 
00 


E8 
AD 
A9 
95 
00 


01 
03 
00 


OF 
C1 
F6 
C7 
00 


99 


ED 


DB 


ED 


94 


ED 


8F 


ED 


6D 


ED 


33 


42 
6B 
85 
6D 


91 
03 
00 


42 
6B 
85 
6D 
00 


88 


CD 


01 
03 
00 


FC 
39 
1C 
EB 
00 


June 2021 


Page 12 


RFC 9058 Multilinear Galois Mode (MGM) June 2021 


3. Authentication tag T generation step: 
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27 


76 


D5 


27 


CD 


I 


27 


A2 


4A 


27 


ас 


20 


27 


BF 


6B 


27 


8A 


58 


27 


88 


73 


27 


B3 


BB 


86 


95 


AB 


86 


B1 


28 


86 


4D 


B3 


86 


EA 


6A 


86 


BE 


C6 


86 


2C 


D7 


86 


EA 


76 


86 


9E 


99 


C6 


30 


CF 


C6 


QE 


C5 


C6 


B9 


D9 


C6 


59 


E1 


C6 


FD 


46 


C6 


E9 


QE 


C6 


C3 


AD 


C6 


QF 


88 


6F 


OB 


38 


6F 


31 


73 


6F 


0A 


42 


6F 


DB 


5A 


6F 


43 


4D 


6F 


D2 


ES 


6F 


31 


40 


6F 


B8 
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00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 


00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 


00000: BC BC E6 C4 1A АЗ 55 A4 14 88 62 BF 64 BD 83 0D 
len(A) || 1еп(С): 

00000: 900 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 
sum (xor) (НО (x) ( 1еп(А) || len(C) ) ): 

00000: са C7 22 DB БЕ 0B 06 DB 25 76 73 83 Зр 56 71 28 


magii: 
00000: CF 5D 65 6F 40 СЗ АҒ 5C 46 E8 ВВ ВЕ 29 FC DB 4C 


A.1.2. Example 2 


Encryption key K: 
00000: 99 AA ВВ СС DD ЕЕ FF @@ 11 22 33 44 55 66 77 FE 
00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 


ICN: 
00000: 11 22 33 44 55 66 77 00 FF EE DD CC ВВ AA 99 88 


Associated authenticated data A: 
00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 


Plaintext P: 
00000: 


1. Encryption step: 
С . 


00000: 


2. Padding step: 


A 1 бое ШРАЯНЕ 

00000: 015015012011:0129170//$01/201120:1150150 1501120150112: ӨЛ 
CE He ПЕ 

00000: 
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3. Authentication tag T generation step: 


ТЕМ: 

00000: 91 22 33 44 55 66 77 00 
Zm: 

00000: 79 32 72 68 96 С4 ЗЕ ЗЕ 
КЕСЕ 


00000: 99 ЗА 80 66 СС CO А4 OF 
current sum: 
00000: 0A C1 1E 2C 1C 06 07 D8 


25 

00000: 79 32 72 68 96 C4 ЗЕ 40 
27 

00000: ӨС 38 A7 1E E7 93 BF 76 
len(A) || len(C): 


FF 


BF 


AC 


2F 


BF 


89 


EE 


D6 


4A 


E3 


D6 


81 


00000: 900 00 00 00 00 00 00 80 00 00 
sum (хог) ( H_2 (x) ( len(A) || len(C) 
00000: CA 1E F8 92 71 EA 60 C4 53 9E 


Tag T: 


00000: 79 01 E9 EA 20 85 CD 24 7E D2 


DD CC 


50 89 


49 69 


A.2. Test Vectors for the Magma Block Cipher 
Test vectors for the Magma block cipher (n = 64, k = 256) are defined in [GOST3412-2015] (the 


English version can be found in [RFC8891]). 
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BB 


EB 


A2 


B4 


EB 


7C 


00 


26 


5F 


99 


E5 


6D 


02 


E5 


78 


00 


80 


8A 


88 


B6 


9B 


81 


B6 


C8 


00 


5D 


85 
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A.2.1. Example 1 


Encryption key K: 


Multilinear Galois Mode (MGM) 


00000: FF EE DD CC BB AA 99 
00010: FO F1 F2 ҒЗ F4 F5 F6 
ICN: 

00000: 12 DE F0 6B 3C 13 0A 
Associated authenticated data 
00000: 01 01 01 01 01 01 91 
00010: 03 03 03 03 03 03 03 
00020: 05 05 05 05 05 05 05 
Plaintext P: 

00000: FF EE DD CC BB AA 99 
00010: 88 99 AA BB CC EE FF 
00020: 99 AA BB CC EE FF 0A 
00030: AA BB CC EE FF 0A 00 
00040: AA BB CC 
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77 
F8 


02 
04 
EA 


11 
00 
11 
22 
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66 
F9 


02 
04 


55 


02 
04 


33 
22 
33 
44 


44 


02 
04 


44 
33 
44 
55 


33 
FC 


02 
04 


55 
44 
55 
66 


22 


02 
04 


66 
55 
66 
77 


lal 


92 
04 


77 
66 
7 
88 


00 


02 
04 
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1. Encryption step: 


аке 
00000: 12 
Yee а 

00000: 56 
E_K(Y_1): 
00000: 38 
Ves 

00000: 56 
ETKEN 2) 
00000: 94 
УЗ 

00000: 56 
E КҮЗ): 
00000: 97 
VTA: 

00000: 56 
ЕК2) 
00000: 94 
WARD 

00000: 56 
ВЕК 5) 
00000: 03 
Ү 6: 

00000: 56 
E_K(Y_6): 
00000: FD 
VERAS 

00000: 56 
ESKQY S7 
00000: DA 
NO: 

00000: 56 
E. K(Y.8) : 
00000: 65 
Маб 

00000: 56 
E_K(Y_9): 
00000: A9 
Cx 

00000: CZ 
00010: 1F 
00020: 9A 
00030: 70 
00040: 03 
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DE 


23 


7В 


23 


33 


23 


B7 


FQ 


89 


DB 


89 


00 


89 


AA 


89 


52 


89 


68 


89 


Е8 


89 


90 


89 


73 


89 


50 


06 
00 
D3 
5C 
9C 


6B 


01 


AQ 


01 


06 


01 


6D 


91 


8B 


01 


BF 


01 


4E 


01 


8A 


01 


96 


01 


4A 


6C 
D6 
73 
64 


3C 


62 
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gA 


31 


39 


31 


Е2 


31 


87 


31 


E8 


31 


D6 


31 


D2 


31 


75 


31 


4B 


31 


ЕЕ 


A0 
78 
DC 
75 


59 


ВЕ 


B3 


CO 


AE 


C1 


57 


C2 


gA 


C3 


70 


C4 


FE 


C5 


C4 


C6 


D7 


C7 
26 
3B 85 11 33 42 45 91 85 AE 
5D 94 04 70 B8 BB 9C 8E 7D 


70 EC 27 CB 0A CE 6F A5 76 
D5 47 AA 37 C3 BC B5 C3 4E 
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2. Padding step: 


А_1 || 
00000: 
00010: 
00020: 


СЕП 111 
00000: 
00010: 
00020: 
00030: 
00040: 


Smyshlyaev, et al. 


Па. 


01 01 01 
03 03 03 
05 05 05 


|| Са: 


C7 95 06 
1F 2E 00 
9A 5D D3 
70 F6 5C 
03 BB 9C 


01 
03 
05 


6C 
D6 
73 
64 
00 


01 
03 
05 


5F 
BF 
1F 
6A 
да 
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01 
03 
05 


9E 
2B 
7D 
BB 
00 


01 
03 
05 


Ад 
78 
DC 
75 
00 


01 
03 
05 


3B 
5D 
70 
D5 
00 


02 
04 
EA 


85 
94 
EC 
47 


02 
04 
00 


11 
04 
27 
AA 


02 
04 
00 


33 
70 
CB 
37 
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02 
04 
00 


42 
B8 
gA 
C3 


02 
04 
00 


45 
BB 
CE 
BC 


02 
04 
00 


91 
9C 
6F 
B5 


02 
04 
00 


85 
8E 
A5 
C3 


02 
04 
00 


AE 
7D 
76 
4E 
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3. Authentication tag T generation step: 
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gea Ill 
00000: 


00000: 


00000: 


00000: 


00000: 


00000: 


00000: 


current 
00000: 


LEE 
00000: 
Н_8: 
00000: 
current 
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ICN: 


92 


2B 


78 


sum: 


D6 


2B 


6F 


sum: 


DD 


2B 


OF 


sum: 


95 


2В 


B9 


sum: 


D1 


2B 


74 


sum: 


56 


2B 


7Е 


sum: 


ЗЕ 


2В 


C2 


sum: 


15 


2B 


F5 


sum: 


DE 


97 


ЗЕ 


95 
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59 


AQ 
AA 


62 


AQ 
A3 


A5 


AQ 
05 


C7 


AQ 
F9 


97 


AQ 
88 


1A 


AQ 
C3 


4D 


AQ 
BO 


02 


AQ 


BS 
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current 
00000: 


210 
00000: 
H. 10: 
00000: 
current 
00000: 


ТАЕ 
00000: 
Bet: 
00000: 
current 
00000: 


|26 
00000: 
НЕТ 
00000: 
current 
00000: 


да За 
00000: 
НЕЗ 
00000: 
current 
00000: 


Z_14: 
00000: 
H_14: 
00000: 
current 
00000: 


ESSE 
00000: 
H 15: 
00000: 
current 
00000: 


2241162 
00000: 
HETO: 
00000: 
len(A) 
00000: 
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1.2. 


2В 


F7 


sum: 


6E 


2B 


65 


sum: 


A4 


2B 


1C 


sum: 


60 


2B 


DC 


sum: 


EE 


2B 


A7 


sum: 


са 


2B 


A5 


sum: 


73 


2В 


6E 


sum: 


2 


56 


07 


78 


3F 


E7 


0A 


ЗЕ 


АЗ 


А7 


ЗЕ 


A5 


4E 


ЗЕ 


47 


B9 


ЗЕ 


АЕ 


QF 


3F 


BB 


6E 


ЗЕ 


4c 


69 


2B 07 ЗЕ 


83 11 B6 


|| 1еп(С): 


02 


00 00 01 48 
sum (xor) ( H_16 (x) 


EB 


94 


4A 
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40 


F3 


B8 


5F 


F3 


FQ 


45 


F3 


BO 


85 


L3 


E7 


E. 


F3 


EE 


AF 


F3 


80 


37 


ЕЗ 


52 


53 


ЕЗ 


A9 


EO 


792 


93 


20 


72: 


81 


14 


72 


D5 


75 


72 


83 


83 


2/2; 


16 


6D 


72 


DQ 


CD 


72 


5С 


F5 


72, 


66 


00 00 02 
( len(A) 


93 


AQ 
3C 


48 


AQ 
45 


22 


Ад 
95 


14 


Ад 
EZ 


E8 


AQ 
E3 


CB 


AQ 
71 


CC 


AQ 
5D 


39 


AQ 
C1 


18 
|| len(C) ) ): 
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00000: 73 CE F4 4B AE 6B DB 61 


Tag T: 


00000: A7 92 80 69 AA 180 FD 10 


A.2.2. Example 2 


Encryption key K: 
00000: 99 АА ВВ CC DD EE FF 00 11 22 33 44 55 66 77 FE 
00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 


ICN: 


00000: 00 77 66 55 44 33 22 11 


Associated authenticated data A: 


00000: 


Plaintext P: 


00000: 22 33 44 55 66 77 00 FF 


1. Encryption step: 


0^1 || ICN: 


00000: 00 77 66 


Meses 


00000: 5B 2A 7E 


E_K(Y_1): 


00000: 48 A6 A5 


С . 


00000: 6A 95 E1 


2. Padding step: 


А 
00000: 


en 


es |] Са 
00000: 6A 95 E1 


Smyshlyaev, et al. 


55 44 33 22 


60 4F 9F BB 


17 0D 52 9D 


42 6B 25 9D 


42 6B 25 9D 


11 


95 


B1 


4E 


4E 


Informational 


June 2021 


Page 23 


RFC 9058 Multilinear Galois Mode (MGM) 


3. Authentication tag T generation step: 


ТЕМ: 

00000: 80 77 66 55 44 33 22 
ИЕ 

00000: 59173 54 78 7Е 52 Еб 
КЕСЕ 


00000: ЕС ЕЗ Ғ9 DA 11 8С 70 
current sum: 


00000: 25 00 E4 20 7В 6B F6 
ИВ: 
00000: 59 73 54 79 7Е 52 E6 
НЕЕ 


00000: 31 0C 0D AC C9 00 4D 
len(A) || len(C): 

00000: 00 00 00 00 00 00 00 
sum (xor) ( H.2 (x) ( len(A) 
00000: 66 D3 ВЕ 12 ӨЕ 78 92 


Tag T: 
00000: 33 4E E2 70 45 0B EC 
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